On Mon, Nov 9, 2015 at 5:20 PM, Patrick Shanahan wrote:

* cagsm [11-09-15 11:13]:

...

On Mon, Nov 9, 2015 at 4:57 PM, Carlos E. R. wrote:

...

It is a single line of probably javascript code.

sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess.

Please use private mail if you wish to issue admonitions. The mail is *not* html, it is *text*. And since when is code not allowed?

And, if you wish to jump on me, use private mail as I will not debate this further on-list.

Where are you suddenly coming from? I replied to some carlos guy thread to the list. Also if the mail is text only then why worry what the text reads? Text email is text email. It cant be executed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

My question, not because it poses a danger to me, is whether this particular type of trojan (that's what I think it is)

It's not a trojan. It's javascript - to my knowledge, all javascript is run in sandboxes, even on Windows. Send me the whole thing and I'll tell you what it does. -- Per Jessen, Zürich (12.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2015-11-09 20:41, Carlos E. R. wrote:

On 2015-11-09 20:25, Per Jessen wrote:

...

It's not a trojan. It's javascript - to my knowledge, all javascript is run in sandboxes, even on Windows. Send me the whole thing and I'll tell you what it does.

Done, thanks.

Well, trojan is whatever thing that is sent disguised. The disguise is a Fax document.

It bounced from you: Diagnostic-Code: smtp; 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/answer/6590 to review our message 552 5.7.0 content and attachment content guidelines. n19si3622488wjr.18 - gsmtp I also got another bounce from another machine; Time received: 11/9/2015 7:38:59 PM Message ID: <5640F64C.3040607@telefonica.net> Detections found: Message Body JS/Obfuscator.GX -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2015-11-10 08:24, Per Jessen wrote:

Carlos E. R. wrote:

...

Well, trojan is whatever thing that is sent disguised. The disguise is a Fax document.

I suppose so - still a trojan horse with greek soldiers that can't get out isn't much good :-)

LOL. Right. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 10/11/15 19:10, Basil Chupin wrote:

On 10/11/15 03:20, Patrick Shanahan wrote:

...

* cagsm [11-09-15 11:13]:

...

On Mon, Nov 9, 2015 at 4:57 PM, Carlos E. R. wrote:

...

It is a single line of probably javascript code. sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess. Please use private mail if you wish to issue admonitions.

Oh Patrick, you are a card! :-D .

Would you call your post to cagsm a non-admonishing e-mail? 8-)

...

The mail is *not* html, it is *text*. And since when is code not allowed?

And, if you wish to jump on me, use private mail as I will not debate this further on-list.

R-i-g-h-t ... you will not debate this further on-list. Fair 'nuff in which case I will not further provoke your religious beliefs by making additional comments here in public.

I have to report that Patrick and I have had an exchange of e-mails re this matter and while he would like to add some comments, but because he is a man of his word ( "...I will not debate this further on-list") he won't do so, which is something I applaud him for. (But it doesn't mean I won't kick you in the shin next time you step out of line, Patrick! :-) .) BC -- Using openSUSE 13.2, KDE 4.14.9 & kernel 4.3.0-1 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2015-11-09 20:02, Carlos E. R. wrote:
> On 2015-11-09 17:05, ellanios82 wrote:
>> On 11/09/2015 05:57 PM, Carlos E. R. wrote:
>>> Would this "work" on Linux?
>>  - mr Varnell of clamav list will probably know : 
> 
> I guess I could post to that list.

clamav does not see it as virii:


cer@Telcontar:~/viruses/tmp> clamscan scan_00000810300.doc.js 
scan_00000810300.doc.js: OK

----------- SCAN SUMMARY -----------
Known viruses: 4091764
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 6.836 sec (0 m 6 s)

cer@Telcontar:~/viruses/tmp> 
cer@Telcontar:~/viruses/tmp> file scan_00000810300.doc.js 
scan_00000810300.doc.js: ASCII text, with very long lines, with no line terminators
cer@Telcontar:~/viruses/tmp> 


neither does antivir, an old version.

-- 
Cheers / Saludos,

		Carlos E. R.
		(from 13.1 x86_64 "Bottle" at Telcontar)

On 2015-11-09 20:23, Per Jessen wrote:

Carlos E. R. wrote:

Given that it is javascript, it can't do much harm, at most it'll probably take you to a website.

I don't know, it is code. I can't read javascript, but I'll have a guess at it. e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3(); That looks very ugly to me. But it may be only obfuscation. It seems to start with a declaration section: var str="5552505E160B060D0A4A080D171005172410010801020B0A0D07054A0A01105E3C5E100A10031601010A174A070B095E17555E55505053545C505556555E55"; function y5(){return 'xa.clo';}; function c8(){return 'jet.c';}; function n9(){return ' = WS';}; function r8(){return 'ODB.Str';}; function b8(){return 'eam"); ';}; function t7(){return 'cript';}; function a2(){return 'i++) { ';}; function v2(){return 'n(fn+n+';}; function g2(){return 'eObject';}; function n1(){return 'var b';}; function e9(){return '};';}; function u7(){return '; xa.w';}; function x1(){return 'tring';}; function y7(){return '); va';}; function b9(){return '".exe",';}; function i2(){return eval;}; which declares a lot of functions (like replacement macros in C, I guess). At the end, there is another section with the actual calls: e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3();e7+=c6();e7+=o9();e7+=l0(); You see, it is a funny way of obfuscating a script. The last command is: i2()(e7); which is probably the actual code, after creating an "e7" string with whatever it really wants to do. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2015-11-10 08:40, Per Jessen wrote:

I guess you didn't post all of the code?

No, certainly. I did not want to trigger filters. ;-)

Most of those functions aren't defined above. It looks similar to this:

https://www.hybrid-analysis.com/sample/3af098f396af3e6f5d56107ba443546cddda2...

Yes, exactly.

My guess is that it'll take you to a website for downloading a trojan.

My, what a complicated way... Would that work in Linux, or the target is Windows only? I saw a string mentioning ".exe". -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2015-11-09 19:36, John Andersen wrote:

On 11/09/2015 07:57 AM, Carlos E. R. wrote:

Anyway, I never touch them on a windows machine, do all my inspections on linux, and have never had one of these do anything, but then the only thing I do is LOOK at the contents of the zip.

Yes, same here, I looked out of curiosity. And I got interested when I saw that it seems to be javascript; Thunderbird, for instance, can execute javascript in email. Also it has no html. It is plain text. I don't get a lot of spam, anyway. Some days none at all. Thunderbird does not signal this one as bad, though, nor my ISP. Which is why I looked at it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2015-11-09 20:04, John Andersen wrote:

On 11/09/2015 11:01 AM, Carlos E. R. wrote:

...

Thunderbird, for instance, can execute javascript in email.

It can, but doesn't by default. Who would turn that on? Pretty sure no one on this list ... ;-)

Actually, many. Me, for instance. See, Thunderbird comes with a calendar thing by default nowdays, which you can sync with google by using "provider for Google Calendar". Well, this thing, at least when authenticating, requires javascript to be enabled. I know this for a fact because I had it disabled and it failed. (I don't care if Thunderbird has a calendar, but I do use a lot the Google calendar in my mobile phone. Being able to access it in the computer is very handy. Yes, I know I can do it via web too.) Thus I use this Thunderbird feature. And having javascript enabled scares me more than a bit. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)